Firewall Wizards mailing list archives
RE: Security of HTTPS
From: "Ben Nagy" <ben () iagu net>
Date: Mon, 29 Nov 2004 10:04:14 +0100
-----Original Message----- On Sun, 2004-11-28 at 10:15, Ng Pheng Siong wrote:In SSL/TLS, the client certificate request is optional, andits typicaluse, HTTPS, does not require client certificates, so thereis no clientpublic/private key here that can be used to "transfer encrypted key material".Right. But even if client certificates are used, these are only used for authentication (signature check) and not for encryption during master-key negotiation.
If you're using client certs then you should be using one of the Diffie-Hellman cipher suites, shouldn't you? DH is not vulnerable to this type of passive interception attack, and couldn't be attacked in this way[1]. Certificate protected DH is still vulnerable to an active MitM if someone has a copy of the server's private key. However, the huge bulk of connections use the RSA cipher specs which _are_ vulneranble to the attack you describe. Looking at it in this light, I am trying to work out why the implementors chose this construction (sending the PMS simply encrypted with the server cert) instead of "one side signed" Diffie Hellman, like IPSec-IKE, which would have obviated the passive sniffing attack. Does anyone know? Cheers, ben [1] eg, http://www.hack.gr/users/dij/crypto/overview/diffie.html _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- RE: Security of HTTPS Ben Nagy (Dec 02)
- <Possible follow-ups>
- RE: Security of HTTPS Dave Piscitello (Dec 02)
- Re: Security of HTTPS Kevin (Dec 05)
- RE: Security of HTTPS Ben Nagy (Dec 07)
- Re: Security of HTTPS David Lang (Dec 26)